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(54) Secure printing 



(57) In a distributed computing environment, a user 
l8 able to send a document to a secwe printer (140) In 
such a way that only a specified intended recipient can 
print the document. 

When the user specifies that the document is to be 
printed securely, a special print job is created in which 
the document is encrypted using a session key and a 
bulk encryption aigorithnf), and the session key is 
encrypted using tfie intended recipient's public key. 
Then, the encrypted session key, the encrypted docu- 
mem and an indicaliOT of the imended redpienf s kien- 
tity is transmitted to a print server (130). where the print 
job is held. 

When the rea'pienTs smart card (145) is inserted 
into a smart card reader of the secure printer (140). the 
recipienfs identity, taken from the smart card (145). is 
transmitted to the print server (130). The print server 
uses the identrty to search for and retrieve docuntents 
intended tor the recipient. If the recipiem is the intended 
recipient the encrypted document and mrypted ses- 
sion key are transmitted to the secure printer (140). The 
secure printer (140) then fonvard the encrypted session 
key to the smart card (1 45), which decrypts the session 
key using an erNsedded private key. Then secure printer 
(140) receives and uses the session key to deayp>t the 
encrypted document and. ftnalty. prints the document 
for the recipient. 
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Technical FieM 

[0001] The presem invention relates to hardDopK pro- 
duction of documents and particularty. but not ocdu- 
slvel/. to document printing. 

Background Art 

[0002] It is well known to generate or design a docu< 
ment using a computer-based text editing or graphics 
package,, tor example Microsoft^^ Wbrd or Miaosoft^ 
PowerPoint respectively. Once generated, a document 
can be printed. Typically the package cff a print driver 
formats the document into a printer file that can be 
received and interpreted by a printer. Example printer 
file tonnats are PCL or PostScript Printer fles can be 
sent directly by the package to a printer to be printed, or 
can be stored Ibr printing at a later time. 
[0003] This principle typically applies to aO types of 
printer, for example laser printers, ink jet printers, 
impact printers and thennal primers, and in general to 
other hardcopy devices such as plottere or facsimile . 
machines. Conveniently, herein, the term Iprinter" cov- 
ers all such cBfferent types of printer, or other hardcopy 
or document rsidering apparatus and devices. 
[0004] Also, for the sake of convenience of de6criptk)n 
herein, the term "document" wilt hereafter be used to 
denote a document in any state, including (but not lim- 
ited to) when viewed on a computer display, when f(v- 
matted as a printer file ready for printing, arKi when in 
hardcopy form. The state the document is in at any point 
in the descr|ptk)n depends on the oontexL Alsa a "doc- 
umenr may include text, graphtos or mbed representa- 
tk)ns. 

[0005] The advent of distributed conputer systems 
made it possible tor a single 'networtC printer Id be used 
by multiple users. TypicaHy. networit printers are 
attached to computing ptattomis opeiating as print serv- 
ers within distributed systems. Alternatively, some print- 
ers, given appropriate interfaces, can be arranged to 
connect directly to the network of a distributed system. 
[0006] Network printers, whether connected directly, 
or via a print server, to a network, can pnovkle a sub- 
stantial cost advantage, since each user need not have 
h^ own printer connected to, or located near ta his own 
computer system. 

[0007] The ability to access network printers, and 
ottier devices, from a local conputer, is readily sup- 
ported by operaling syst&ns such as Unix, or Mk^ro- 
soft's™ Windows^ HI, which are desired to be 
0(»ifigured to manage distributed operations such as 
remote printing or data managemenL 
[0008] One problem with printing documents on 
remote networtc printers is that any person near to the 
printer oouU rmove or read printed documents con- 
tuning sensitive information, which do not betong to 



them, before the intended recipients are able to retrieve 
the documents. One way around tNs is for users who 
need to print sensitive documents to arrange for a 
trusted person to stand by the printer while the docu- 

5 ment is printing and collect the document as soon as it 
has printed. This, of course, is inconvenient 
[0009] Another way to Increase security is to print sen- 
sitive documents only on a local printer. The latter case, 
however, undermines any cost advantages gained in 

10 having a centrally located, network printer, especially if . 
many users need to print sensitive documents. 
[0010] Another problem associated with remote print- 
ing of sensitive documents is that a malicious party 
could IntercqM or monitor the transfer of data between 

IS the k)cal cornput^ and networit printer. For example, 
anyone with access to a print spooler or print server 
receiving the document for printing could access ttie 
document ms woiid be highly undesirable and. again. 
oouM be overcome by using a local printer attached 

20 directlylo the originating conputer Instead. 

DiRctnstire nf the Invention 

[OOlf] Aspects of the present Invention abn to 

25 increase tiie security of remote printing. 

[0012] Accordirig to a first aspect the present inven- 
tion provKles a method of printing a document in a de- 
trSjuted conpjter system comprising a client, a print 
server, printing apparatus and a network for intercon- 

90 nectirig cbnpphents of the distributed computer sys- 
tem, the m^od qonprising the steps of: 

a sender selecting a document to be printed, kienti- 
fying an irtterxfed rec'pient for the document and 
3S ' causing the dient to transmit to the prim server tiie 
document accompanied by a first kJentifier for the 
intended recipient; 

receiving and storing the document and the associ- 
ated fifstkfemifier on the print sen^: . 
40 a ro^em praivkSng the printing apparatM 

second Uentffier, the printing apparatus receiving 
the second kJentifier and transmitting to the print 
senrer a request including the second identSier, to 
rec^ve documents from the prim server; 
45 the print server receiving the request comparing 
the second identifier with the stored first kientifier 
and, for matching identifiers, fontfarding the docu- 
ment associated with the first Identifier to the print- 
ing ^paratus; and 
so the printing apparatus rec^ving and printing the 
document 

[0013] Advantageously, a document is only printed 
when the intended recijsert interacts with the printing 
55 apparatus in order to retrieve and print the prevfously- 
subnvtted docimVent In fact the intended recipient may 
be the same person as tiie sender. 
[0014] In a preferred embodiment in order to Increase 
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security erven further tfie clierrt encrypts the document 
prior to transmitting it to the print server and the printing 
apparatus deoypts the encrypted document pria to 
prin&tgit 

10015] Thus, even if adocument were intercepted dur> 
ing transfer between the client and the printing appara- 
tus, say. it would l>e a non-trivial task for the intercepting 
party to decrypt the document 
[0016] Preferably, the printing apparatus interacts with 
a smart card in order to r^eve and/or decrypt the doc> 
ument using information and/or functionality pro- 
grammed into a smart card proved by the recipient 
"Hie smart card may contain the second identif ter and 
n^y be programmed to assist with document decrypt 
tion. 

[0017] According to a second aspect the present 
invention provides printing apparatus arranged for 
receiving and printing documents^ comprising: 

an interface fbr connecting the printer to a print 
server] 

an input/butput means for interacting with a user 
and receiving an identity from the user: 
processing means for generating a request for a 
document, the request including the identity of the 
user, transmitting the request to the print server and 
receiving a document from the print server; and 
means for printing the document for the user. 

[0018] Futher aspects, features and embodimerrts of 
the present invention wili become apparent to the sldiied 
addressee from the following detailed description and 
claims. 

Brief DftBcripfion of the DrawlnffB 

[0019] Embodiments Of the present inventian will now 
be described, by way of exanple ortly, with reference to 
the aooompanying drawings, ol wdiich: 

Figure 1 is a diagram which Illustrates a distributed 
computing environment which supports secure 
priming in accoidance wHh an embodiment of the 
pres«Tt invention; 

Rgure 2 is a block diagram of an architecture for a 
printer according to the present ennbodiment 
Rgure 3 is a flow diagram which illustrates the 
steps involved in a user submitting a ddcument for 
secure printing; and 

Rgure 4 is a flow diagram which illustrates the 
steps involved tn a secure printer retrieving and 
prmting a print job. 

Best Mode For Carnnna Out the Invention. & Industrial 
Applicability 

[0020] In Figure 1. a local computer 100. for example 
an Intel Penthim based oorrputer operating under Wi- 



dows NT 4.0, tndudes the standard components of a 
keyboard, a display and a mouse (none of which are 
shown). The local oomfHJder 100 ts attached to a net- 
wortc 1 10. for example a networic supporting the TCP/IP 

5 protocol. The local cornputer 100 provides a secure 
printer process, or client which is a software routine 
that can be initiated a user when secure printing is 
required. The processi and all other processes in ^is 
errbodlmeni can be writtoi in any geno-al purpose pro- 

10 gramming language, such as C^. 

[0021] Also connected to the network 110 are a direc- 
tory server 120. a documerit store 130. a secure prMer 
140 and biinng engine 150. 

[0022] The directory sender 1 20 is a process running 

IS onaconrputer, which has access to a datattase 125of 
user-spedfic information, known as user^prof See. The 
directory server 120 is arranged to receive from 
requesting processes requests for spedfic information 
for particular i^ers, and returns the specific information 

20 to the requesting process, whenever possibia The com- 
puter running tie directory sen/er 120 coi^ be a Uriix 
or Windows NT platfonn connected to the network 100 
via an appropriate Intertece. The directory server 120 in 
the present embodiment is a simple database, which 

2S receives enqt^ries and returns relevant data, but it could 
be based pn purpose-built directory services such as 
Novell's NDS or Mk:rosoft's Active Directory. In accord- 
ance with the present embocfiment the directory server 
120 is configured to receive a request induing a user 

30 identity and return at least a public encryptk)n key asso- 
dated with the identified user. Communications with the 
directory sender 120 may be with a network protocol 
sudi as' ttie Lightweight Directory Access Protocol 
(LDAR). 

X [0023] The document store 130 is a process runnvig 
ort a cornputer which receives and stores encrypted 
dpcumertt f aes and assodated user ideniitie& The doc- 
urnent store 130 also receives requests to forward to 
specified locations encrypted docuntent files having a 

^ specified identity. Again, the conputer running ttie 
directory server 120 could be a Unix or Windows NT 
platforrifi connected to the networi^ 100 via an appropri- 
ate interface. ' 

[0024] ' In' practice, the documient store 130 can be a 
4S modified print spooler or print server process, which has 
aocej^ to a large amount of data storage, for example 
provided a cfisk drive 135. The spooler or server is 
modified in the resped that it is arranged to recognise 
encrypted documents and, rather than fonvarding them 
50 to a specif k: primer, hold or store tiie encrypted docu- 
ments. The spoder or saver is also modified to receive 
requests from printers lor spedfic encrypted docu- 
ments, search for the specified encrypted documents 
and transfer the encrypted documents to the requesting 
55 printer. 

[002*5] ft should be noted that the document store ISO 
in tiie present embocfiment is an untrusted part of the 
distributed systent, in that the document store 130 is 
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configured to return documenis to any requesting 
primer, or other device uang an appropriate protocol. 
The present emt)odjment reDes on the security of the 
strong encryption applied to the document to protect the 
infbmnation in the document 
[Q026] In other emtxxlimenls. where security is even 
more important, H is emtaged that the document store 
1 30 would further incorporate authentication functional* 
ity. which would allow the document store to authentic 
cats either the requesting printer or smart card user. 
Authentication systems usnig, for example, digital sig- 
natures are well known and wiO not K>e considered 
herein in any more detail. 

[0027] The arctntecture of the printer 1 40 according to 
the present errtofiment is illustrated in more detail In 
Rgure 2. Figure 2 illustrates a central processirrg unit 
(CPU) 200 that controls a print encpne 210, which is a 
standard part of any printer that enacts printing, and the 
details thereof are beyond the scope of the present 
description. A read only memory (ROM) 220 is con- 
nected to the CPU 200 an appropriate system bus 
205. The ROM 220 contains the instrucfions that fom 
the corttrol program for ttte printer. Also connected to 
the system bus 205 is non-votatOe memory (r4V-RAM) 
230 and main memory (DRAM) 240. The NV-RAM 230 
can be EEPROM or Rash RAM for receiving and stor- 
ing services downloaded into the printer. The DRAM 
240. is used by the printer as buff^ memory, for receiv- 
ing jobs to be printed, and is also used by the CPU 200 
in the present embodiment as workspace for decryption 
and ses^on key storage. All the features of the printer 
140 described so far are standard on may generally 
available printers. The diagram also illustrates the 
standard printer futures of a network interface 250. 
vanous sensors 260, for example iDaperouf.arKlafront 
panel display and keypad 270, all connected to the CPU 
via the system bus 205. Finally, a smart card reader 280 
is pro>Aded. also connected to the system bus 205, 
although It couki alternatively be connected via the 
printer^ RS232 port where one is availabia Thus, the 
only significam. non-standard hardware feature of the 
printer is the smart card reader 280. The other differ- 
ences depend on software or firmware processing. 
(0028] Smart card readem are gener^ available and 
conform to accepted standards. The smart card reader 
used m the present embodiment supports the ISO 781 6 
standard (levels 1 to 4), and some extra funcdonalrty not 
covered by the ISO standard. whk;h e descn'bed herein. 
CorresporKUng smart carcte are also readily avaWe, 
and are programmable to operate as described herein. 
[0029] In practice, the smart card reader can be incor- 
porated into the casing of a standard printer. Thus, in 
this case, the only sign0icam, noticeable difference 
about the printer is a sfot 143 in the casing into which a 
smart card 145 can be inserted and retrieved. 
[0030] Printers which generally have the features illus- 
trated in Rgure 2 are a Hewtett-PacKard LaserJet 5 or a 
Hewlett-Packard LaserJet 4000. In either printer, the 



prsTter's obnventfonal control program can be modified 
as described herein, by either replacing the primes 
firmware, in ROM 220. or by creating a "servfoe*. which 
can be downloaded into the printer^ flash memory, NV- 

5 RAM 230. from the network. 

[0031] Details on how to mocfify control programs in 
Hewlett-Packard and others' printers are beyond the 
scope of the present descrqitfon, but are rea(% availa- 
ble from Hewlett-Packaid Company or from the respec- 

10 tive other printer manufacturers. 

[0032] The foregoing description descrfoes a printer 
with an integral smart card reader, wherein the printer 
itself is progranrvned with functionarity to retrieve and 
process encrypted documents. In an aiternalive embod- 

15 iment printing apparatus may be provided comprising a 
genera) purpose printer and an external smart card 
reader unit connected to the printer via a serial port 
The snort card unit is also provided wHh a networii 
interface, for connecting the unit to a network, and an 

20 appropriately programmed processor and memory to 
enable the combination of the general purpose printer 
and the smart card reader unit to operate as printing 
apparatus according to the present inventfoa In effect, 
the smart cartf reader unit is designed to interact with 

2s the rectpienl. who inserts his smart card, interact with 
the document store 130 to retrieve and decrypt the ses- 
sion key. and the encrypted document, and forward the 
document to the printer to be printed. 
[0033] Qeariy, this embodiment does provide a weak 

30 fink Ini the security of the overall system, by passing the 
unendrypted document over the oommunication& link 
. between the Smart card reader unit and the printer. 
However, it is believed that the associated risks are min- 
msed wh^ the printer and smart card reader unit are 

35 co-located. 

[(My34] .&jch an arrangement may be preferable where 
a business wishes to utilise the invention in a cost effec- 
tive way using SDcistlng printing eq^apmerit It is also 
emisaged fnsA the funclfonali^ in the printer and the 

40 smart card reader urA necessary to implement the 
inventfoh rnay be partifioned in other ways, depending 
on Ihie drcurnsmhces. 

[0035] NiuiQ system 150 is a process running on 
a corr^er whkih electrorik:a&y bills users of the secure 

45 printing systevri. There are three main areas where 
users coiikl be billed, which are for: submission of an 
encrypted document to the document stm 130. stor- 
age by the document store 130 of a document for a 
specified time; and transrressfon and successhJ printing 

50 of the document Other acts, such as using the directory 
server 120. could potentially also be billed. The sender 
or the rec9>ient. or both. coM be bOled for any or each 
of these ads. Tor example, the sender could be billed 
for the siibmissfon, and the recipient could be billed for 

55 the storage and printing of the document. Of course, the 
sender and the recipient might be the same person, ot 
different people from the same organisation, in wftich 
case a siiigle person or orgarvsafion respectively wouU 
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be bated for everything. Further, the owner of the docu- 
ment store and the owner of the printer might be differ- 
ent independent service providers. For exanple. in the 
case where the printer is in a pubKc place, and for use 
the publics then the printer^ owner wouM want f inan- 
cial reward for providtng the service. Therefore, it would 
be necessary for a printer to identify itseH in enough 
detail that the billing system 150 could allocate billed 
funds to the printer's owner. 
[0036] For evoy act. it rs necessary to iderrtify the 
party to be tilled and the party to be paid. Electronic 
identification and authentication for the purposes of 
electronic billing are well known in the field of electronic 
commerce, and will not therefore be discussed in any 
more detail hereia 

[0037) Theoperalionofthelocalcomputer 100 in sub- 
mitting a secure prim Job wiH now be descn'bed with ref- 
erence to the flow diagram in Figure 3. 
[0038] In step 300 of Figure 3. the local computers 
operator (not shown), in other words the document's 
sender, has a document, for example a word-processed 
document, to t^e submitted for printing. The sender initi- 
ates the secure printing process for the secure printing 
of the document, in step 305. The secure printing proc- 
ess, in step 310. generates a graphical user interface, 
which requires the sender to enter the document details 
and the identity of the intended redpent. Of course, the 
intended recifnent might be the sender himself. The 
sender enters the required details in step 315, Having 
received a valid irput from the sender, the process, in 
step 320. continues by transmitling a request bduding 
the details ir^ by the sender to the directory server 
120. In response, the directory server 1 20 returns to the 
secure printing process the pubGc key for the intended 
reo*piefitlnstep325. 

[003^ Next, in step 330, the secure printer process 
formats the document into a page description language, 
such as PostScript or PCL. which is interpretable a 
printer. Obvkxjsly. the language wiQ depend on the type 
of printer or other hardcopy apparatus to be used. The 
secure prviter process thea in step 335. applies bulk 
encryption to the formatted document wNle retairvng ItB 
integrity. Ttits can be achieved using a message cfigest 
function such as the Secure Hash Algorithm (SHA-1) 
and a symmetric block or stream cpher. for instance. 
Data Encryption Standard (DES). The cipher uses a 
random nwnber generated by the secure printer proc- 
ess to enact the encryption. The random number consti- 
tutes a session key. This step is a symmetric ^icryption 
step, which reOes on a recipient having access to the 
session key to decrypt the document 
[0040] Alternative message digest algorithms, such as 
MDS. synvnetric ciphers such as CAST or IDEA, and 
asymmetric algorithms such as the Elliptic Curve EIGa- 
mal encryption scheme can be used instead of the algo- 
rithns specifted earlier. 

[0041] In step 340. the secure printer process then 
applies an asymmetric encryption algorithnv such as 



RSA. to tiie ses^on key, using the intended recipient's 
retrieved pubTic key Thus, after this step, only someone 
who has knowledge of the private key associated with 
the public key can decrypt the sesskm key and hence 

5 then decrypt the document. 

[0042] In some entbodimenls, where the whole proce- 
dure is enacted witNn the bounds of a relatively trusted 
or secure environment, rt might be fell unnecessary to 
use tiie encryption stages. In such cases, for example 

10 v^ere the messages are never transmitted outside of a 
single building, it might be sufficient to arrange that a 
document is only printed when a recipient is available at 
the printer. 

[0043] In step 345. the secure printing process for- 
15 wards across the network 1 10, to the document store 

130,. a message compristng the encrypted document, 

an *envekipeVfor the document (which contains the 

encrypted session key), and the respective identity of 

the inteiKled recipient 
20 {QiM4] Finally, In st^ 350. the document store 130 

receives the message and stores rt appropriately to 

hard disk 135. 

[0045] The process of securely printing a document 
retrieved from the document store 130 will mw be 

25 described with reference to the flow diagram in Figure 4. 
[0046] In step 400 of Figure 4, the intended recipient 
of the document wtvch has k>een stored by the docu- 
ment store 130 as deserved already, inserts his smart 
card irito the smart card reader 280 of the secure pnnter 

30 1 40, the smart card Includes the recipienfs identity and 
tile recipient's private key. Altitough not illustrated in tiie 
flow cfiagram. it wouW be typical at this stage for the 
printer 140 to request entry by tiie redptent of a per- 
sonal idenl^ ication number, to verify that the recipient is 

35 the gernjine owner of the snimi card, and not someone 
wh6hastound.oreven8tolen.it 
[0047] The smart card reader 280 reads the smart 
card, in sti^ 405. and extracls the identity thereflrom. 
Then, ih step 410. the smart card reader 280 foraards 

40 the identity to tiie printer's CPU 200. The CPU 200 
receives tiie identity tn step 415 and generates a mes- 
sage inducting ttie klentity. m step 420. which it tbmvards 
to tiie document store 130 m step 425. 
[0048] m step 430, the document store 130 receives 

45 ttie nriessage and, in step 435, seardies the hard disk 
135 for any documents having tiie same identity. In tiie 
present embodment. tite document store 130 vnQ find 
one document However, in general, tfiere may be none, 
or any number of documents having a matching ktentity 

50 stored on tiie hard disk 1 35. At this stage, the document 
store 1 30 and printer 140 may be arranged to interact to 
provide status information to tiie recpent, displayed on 
a front pane! tfispby 270 of tiie printer, Us example 
sfiowing tiie number of documents awaiting printing, or 

55 tifiai there are no documents waiting. Adtfitionally. tiie 
reiclpierit rifiay even be given a tiho'ice of which (of sev- 
eral) documents he woUd Rke to retries 
[Q049] Next in step 440. the documem store 130 
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returns to the printer 140 only the envelope for the doc- 
ument having the matching identity. In principle, the 
document could be sent at this stage as well, although 
whether or not this rs done depends on the size of the 
document and the amount of avaiWe printer buffer 
momory. It is k>elieved preferable at present to retrieve 
only the envelope, unless the printer 140 has a signii' 
cant amount of RAM 240 into wHbh the whole docu- 
ment could be received. 

[0050] In step 445. the printer receives the envelope 
and. in step 450. lonivards the encrypted session key to 
the smart card reader 280. The smart card reader 280 
transfers the encrypted session key to the smart card, 
and the smart card, in turn, decrypts the session key. in 
step 455, using the private key stored therein. The 
smart card outputs the decrypted session key. in step 
460. and the smart card reader 280 fonwanls the ses- 
sion key to the CPU 200. In step 465. 
[0051] This technique lor retrieving theses^ key is 
extremely advantageous, since the private key never 
needs to leave the smart card, and thus remains secret 
even from the printer. 

[0052] The printer 1 40 forwards a ntessage to the doc- 
ument store 130. in step 470, for the document store to 
transmit the encrypted document to the printer 140. In 
step 475 the document store 130 receives the mes- 
sage and, in step 480. transmits the document to the 
printer 140. In step 485, the printer 140 receives the 
document and, in st^ 490. deciphers it back into page 
description language using the session key. 
[00531 RnaRy. in step 495. the printer prints the docu- 
ment tor the intended reciipMent 
[0O54] H is envisaged that, altematively. me smart 
card itself might be programmed to enact the decryptton 
of the document TbiSk of course, is design deOiskHi. 
[0055] II win be appreciated that the netmrk 110 
could be a tocal area networi^ a wide area networit or 
even global area networic For example, fbr the case of 
a global area networic, the k>cal computer 100 could be 
situated in an office in Ljondon and the printer could be 
k>cated in an airport in Tokyo or New Yoric Similariy. the 
cfirectory server 120 and the document store 130 ooidd 
be located anyv/here in the worid. 
[0056] In some embocfiments, for responsiveness pur- 
poses, it may be desirable to have nvrror document 
stores (not shown) - sinvlar to Internet mirror sites - 
where the data in ana store Is copied by the store to 
other, geographicafty distant document stores. Thus, for 
exarrple, there may be a London-based data server, 
and Tokyo and New Yoric-based data servers. On 
receiving a document, the London data senrer woutd 
copy the document to both th e Ibl^ and New Xbrit data 
servers so that the recipient couU retrieve and print the 
document from the data senrer nearest the printer being 
used. Obviously, the data mirroring could be tuned if His 
knoivn where the redpienit is most likely to be when he 
vrishes to print the document For exanple. if the recip^ 
ent were likely to be in New \brK but might instead be in 



London, then a document sUbntitted m London would 
only be mirrored to the New >bri(-based data sender. 
Such rectpi&it location information coufo form part of 
the iser profile informatfon stored by the directory 
$ server 120. Thus, the tocation informatfon under these 
ctrcumstances would also be returned to the local com- 
pter 100 with the jiniblic key information, and this intor* 
mation would also be toiwarded to the document store 
130. 

10 [0057] it is envisaged that the (firectory server 120 wilt 
hold other user profile information. For example, a recip- 
ient may only ever wish to rec^ve documents from one 
spedTied printer. In this case, the intomfiatfon returned 
by the directory server 120 would reflect this and the 

15 document 'store 130 would then only release the 
encrypted documott to the specified printer. Other infor- 
matfon held by the directory server 120 for particular 
users mi^ include printer information, which deter- 
mines how the document is fbmiatted by the local oom- 

so puter 1 00, for example whether to fonmat the document 
into POGtScr|A or PCL In genera), it is expected that the 
user can access the directory senrar 120. tor example 
via the Internet, and modify his user profile whenever 
required. 

25 [0f)S8] H win also be appreciated that the components 
arid processes d^cribed atxsve need not reside on dif- 
ferent computers. For example, the focal computer 100 
couki si^oil directory server and document store 
processed, as well as a secure printer process. 

30 50059] Furthennore. there is no reason why any or all 
of the processes descrfoed herein coufo not t>e located 
and cailiad from any of a number of different computer 
systems connected to the distributed environment Hav- 
ing safo this, it is important although not essential (as 

35 exemplified In the alternative embodiment descrfoed 
above), that dbcurnents that require secure printing do 
not pass across any puUicty accessible or low security 
oomnvhk^tim^ channels, without being in an 
encrypted sta^^ 

40 * * ■ " ' 
ciafins 

1. A method of printing a document in a distributed 
oonputer system conprising a client a print server. 
<$ printing apparatus arvj a network for interconnect- 
ing components of the distributed computer sys- 
tem, the method comprising the steps of: 

a sender selecting a document to be printed. 

so identifying an intended recipient for the docu- 

ment and causing the client to transmit to the 
print server the document accompanied by a 
first foentifier for the intended recipjent, 
.: receiving and storing the document and the 

55 associated first identifier on the print server; 

a redpfont providing the printing apparatus with 
a second foentifier. the printing apparatus 
receiving the second ktentifier and transmittihg 
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to the prim server a request indixfing the sec- 
ond identifier, to receive documents from the 
prMsenrer; 

the print server receiving the recpjest, compar- 
ing the second identifier with the stored first 5 
identifier and. lor matching identifiers, forward- 
ing the document associated with the first iderh 
tffier to the printing apparati^; and 
the printing apparatus receiving and printing 
the document w 



receiving the encrypted first key from the print 
serv^ in response to the request; 
forwarding the encrypted first to the smart 
card such that the smart card decrypts the 
encrypted first 1<ey using the secret and returns 
the first Itey to the printing atpparatus, the secret 
betng the private key of the of tfie asymmetric 
encryption algorithm; and 
using the first key to decrypt the encrypted doc- 
ument 



2. A method according to claim 1 . wherein the dierrt 
encrypts the document prior to transmitting it to the 
print server and the printing apparatus decrypts the 
encrypted document prior to printing rt is 

a A method according to claim 2, wherein the recqsi- 
ent provides the printing apparatus with means 
necessary for decrypting the encrypted document 

20 

4. A method according to claim 3, wherein the printing 
apparatus inteiBCts with a smdrt card in order to 
retrieve andtor decrypt the document using intor- 
matton and/br fuhctkmality programmed into a 
smart card provided t>y the recipient ss 

5. A method according to daim 4, wherein the smart 
card provided t^ the rec^ent stores data including 
saU second ident^ier and the printing apparatus 
extracts the second klemifier from the smart card, so 

6. A method according to claim 4 or daim 5. wherein 
the smart card, which is pro^mmed with a 
decryption algorithm and stores a secret, receives 
encrypted infonnation from the printing apparatus, S5 
decrypts the encrypted information using the secret 
and returns the decrypted intormatton to the print- 
ing apparatus. 

7. A method according to dam 6, further comprising 40 
thedient 

encrypting the document using a first key, the 
first key k>eing the key of a symmetric encryp- 
tion algorithm; 45 
encrypting the first encryption key using a sec- 
ond key. the second key t^etng the put^fic key of 
an asymmefric encryption algorithm; and 
transnvtting to the print server the encrypted 
document and the first iderrtifier accompanied so 
by the associated encrypted first key. 

8. A method acoordng to daim 6. wherein the dierrt 
ot>tains the second key from a key repository on the 
t)asi8 of the identity of the intended redpient 55 

9. A method according to claim 7 or daim 8, further 
comprising the printing apparatus: 



ia Printing apparatus configured for operation accord- 
ing to the m^hod of any one of the preceding 
daims. 

11. A dient configured tor operation according to the 
method of any one of claims 1 to 9. 

12. A print sender configured fbr operation aocoiding to 
the method of any one of daims 1 to 9. 

ia A disfritxjted corrputing system configured for 
operation according to the method of any one of 
. daims 1to9. 

14w Printing apparatus ananged tor receiving and print- 
ing dooiirnents, oomprisirig: 

an interiace for connecting the printer to a print 
server; 

an input/output means for interacting with a 
user and receiving an id^itity from the user; 
processing means tor generating a request for 
a document, the request indudtng the identity 
of tfie user, transrratting the request to the print 
server and receiving a documem from the print 
server; and 

means for printing the document for the user. 

1& Printing apparatus acconfing to daim 14. further 
corrprisirig processing means for receiving and 
decrypUtig an encrypted document received from 
the print server. 

16. Printing apparatus according to daim 15. wherein 
the inputAxjtput means is an^ed to receive 
removable processing means from the user, the 
removable prcicessing means provicSng means 
necessary for decrypting the encrypted document 

17. Printing apparatus aocorcfing to daim 16. wherein 
the ifvnJt/output means comprises a smart card 
reading device for receiving a smart card from the 
user.. 

1& Printirig apparatus according to daim 17. wherein 
the smart card reacfing device is arranged to extract 
the idienfity of the user from the smart card. 
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19. Prirrting apparatus according to claim 17 or claim daiifis K to 24, 
18. wherein the smart card reading device is 

arranged to forward encrypted information to the 
smart card and receive back from the smart card 
unencrypted information, the smart card being $ 
arranged to receive encrypted inforrnatioa decrypt 
the encrypted information using a secret stored on 
the smart card and return the decrypted infonna- 
tion. 

10 

20. Printing apparatus according to claim 19, further 
comprising: 

means to receive from the print sen/er, in 
response to the request, an encrypted first key; is 
means to foraraid the encrypted first 1^ to the 
smart card such that the smart card decrypts 
the encrypted first key using the secret and 
returns the first key. and 

means to decrypt the encrypted docun^ 20 
using the fff^ key. 

21. Printing apparatus according to any one of claims 
17 to 20. comprising a casing conttgured to contain 
the components of the printing apparatus Including 2S 

an inlegiBted smart card reader, the casing having ...... . ' 

a stot therein for receiving a smart card through the , . 
casing and into the smart card reader. 

22. Printing apparatus according to any one of claims ao 
17 to 20. comprising a printer including imerface 
means and a smart card reading device connected 

to the printer via the interface means. 

23. Printing apparatus aocoiding to claim 22. wherein as 
the smart card reading derice comprises an inter- 
face means for connecting the device to the net- 
work 

24. Printing apparatus according to claim 23, wherein 40 
the smart card reading device comprises: 

means to extracting the us«- klentity from the 
smart card; 

means to generate and transmit the request via 45 
the network to the print server; 
means to receive from the print sen/er an 
encrypted document and an encrypted key; 
means to foniward the encrypted key to the 
smart card, such that the smart card decrypts 50 
and returns the key; 

means to decrypt the encrypted document 
using the key; and 

means to (brwanj the document to the printer to 
be printed. ss 

25. A smart card reading device configured tor cpera- 
. tion with printing apparatus according to any one of 
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